From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: auid=0 Date: Mon, 03 Aug 2015 15:06:37 -0400 Message-ID: <41115001.nqDBLmZtAp@x2> References: <3db3c7197b826469a01470b399b61d28.squirrel@webmail.umbc.edu> <8232042.ns10VY4MF9@x2> <5078d5cdd4a92b5757767c0f248ef91b.squirrel@webmail.umbc.edu> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <5078d5cdd4a92b5757767c0f248ef91b.squirrel@webmail.umbc.edu> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: rshaw1@umbc.edu Cc: linux-audit@redhat.com List-Id: linux-audit@redhat.com On Monday, August 03, 2015 02:53:52 PM rshaw1@umbc.edu wrote: > > On Monday, August 03, 2015 02:11:31 PM rshaw1@umbc.edu wrote: > >> Comparing the "official" STIG content with the scap-security-guide > >> content, the former seems to have added corresponding rules for "-F > >> auid=0" that aren't present in scap-security guide. i.e. where > >> scap-security-guide will just have one rule: > >> > >> -a always,exit -F arch=ARCH -S -F auid>=500 -F > >> auid!=4294967295 -k delete > >> > >> the official content will have the above plus: > >> > >> -a always,exit -F arch=ARCH -S -F auid=0 -k delete > >> > >> Is the addition necessary? > > > > Does the official STIG allow root logins? If so, I think that is a big > > mistake > > and should be fixed. If it does not allow root logins, then the only way > > I can > > think of having auid to be 0 is for root cron jobs. > > It doesn't, but that doesn't mean they don't love to layer the hell out of > things. I wouldn't expect root cron jobs to be a threat. But if they are worried about insider threats, then there should be a bunch of other new rules that use the inter-object comparator. > >> It doesn't seem to be, as the rules caught root usage of, for example, > >> chmod > >> just fine without it (I had used su; not sure if there's a difference > >> between > >> that and other ways of being root.) I would like to make sure I'm right > >> before asking one group or the other to delete or add it, respectively. > > > > Perhaps they consider root cronjobs to be an attack vector? > > Perhaps. What about exploiting a daemon that runs as root? Daemons have auid set to -1. To get auid to be anything other than -1, the loginuid has to be set. That is typically done by pam_loginuid.so. > Would cron be the only one to show up as auid=0? Yes, because cron calls pam_loginuid to setup the user session. Atd would also do this, but I think the code is now based off the same executable. > I know there is some sort of thing that happens where the daemon will > inherit the uid of anyone who restarts it, but I'm not sure what > it would start as at boot. > > I'm hoping to not have to nearly double the amount of rules, but I'm > guessing it doesn't work to have auid >=500, !=4294967295, and =0 in the > same rule (when I tried it, it seemed to stop catching chmod altogether). Everything in a rule forms an "and" expression. So, auid>=500 && auid=0 is logically false. -Steve